Forum OpenACS Development: Re: How to securely store your passwords

3: Re: How to securely store your passwords (response to 1)

Posted by Neophytos Demetriou on 10/04/23 05:56 PM

Thanks Gustaf. One thing I like about bcrypt is that there is one variable, the work factor. 10-12 is a good value and you can increase it linearly. I am looking at argon2 from your commit and it requires: memcost, lanes, threads, and so on. You have to be a scientist to use it.


        set r [::ns_crypto::argon2 -variant argon2id \
                   -password "1234567890" \
                   -salt "saltsaltsaltsalt" \
                   -memcost 12288 \
                   -lanes 1 \
                   -iter 3 \
                   -threads 1 \
                   -outlen 16]

Yup, argon2 won that competition but I like bcrypt's simplicity.

4: Re: How to securely store your passwords (response to 3)

Posted by Gustaf Neumann on 10/04/23 07:07 PM

You have to be a scientist to use it.

No, systems provide already proper parameterizations, which are provided as recommendations from scientists. The same thing is true for scrypt. Parameterization is usually seen as an advantage of scrypt and argon2 over bcrypt.